rpm -Va BAD, key ID

Jan Rękorajski baggins at pld-linux.org
Sun Jan 25 15:26:05 CET 2015 

On Wed, 14 Jan 2015, Jeffrey Johnson wrote:

> 
> On Jan 13, 2015, at 3:01 PM, Elan Ruusamäe wrote:
> 
> > On 13.01.2015 19:43, Jeffrey Johnson wrote:
> >> On Jan 13, 2015, at 11:30 AM, Elan Ruusamäe wrote:
> >> 
> >>> rpm -Va emits such messages:
> >>> 
> >>>  error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
> >>> 
> >> What package is header #123? (try rpm -Vavv which should display package names near h#123).
> > that #123 is pretty much every package in the system.
> > h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake gpg package.
> > 
> > rpm -Vavv of 5.4.14 and 5.4.14 can be obtained  from here:
> > 
> > http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
> >>> that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
> >>> 
> >>> 
> >>> i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
> >>> 
> >> rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
> >> 
> >> Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
> >> 
> >> You can easily patch out the attempt to verify header signatures in 5.4.15.
> >> 
> >> Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
> >> and whether the public key is imported or included in packages.
> >> 
> > gpg-pubkey-e4f1bc2d-47b351f0 is key used to sign pld th packages:
> > 
> > $ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0
> > 
> > Name        : gpg-pubkey                   Relocations: (not relocatable)
> > Version     : e4f1bc2d                          Vendor: (none)
> > Release     : 47b351f0                      Build Date: Fri Oct 10 01:19:35 2014
> > Install Date: Fri Oct 10 01:19:35 2014      Build Host: localhost
> > Group       : Public Keys                   Source RPM: (none)
> > Size        : 0                                License: pubkey
> > Signature   : (none)
> > Summary     : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)
> ---------------------------^^^^ Presumably this is an RSA public key.
> 
> > Architecture: (none)
> > Description :
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > Version: RPM 5.4.10 (BeeCrypt)
> -------------- ^^^^^^^^^^ exported by rpm-5.4.10
[...]

> > 
> 
> Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?

No, packages signed with 5.4.15 also fail to verify with it.
The following command is used to sign packages:

rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files

So, that's not a problem of our setup, from my perspective it looks like
5.4.15 has broken RSA sig verification, can you look into it?

> There were many fixes for RSA signatures in rpm-5.4.15.
> 
> These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.
> 
> The testing does not exclude a regression, but there are known incompatibilities between
> rpm-5.4.15 and earlier versions of RPM with RSA signatures.

Can you elaborate what kind of incompatibilities we can expect?

-- 
Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/

More information about the pld-devel-en mailing list